Bitwise Account Manager
Bitwise Account Manager (BAM) is an open source Chrome extension that digitally signs and relay API requests for Bitwise Terminal. BAM encrypts API credentials on disk using industry standards (AES and PBKDF2) and safeguards them in memory so that they are never exposed to third parties including Bitwise Terminal.
- (Optional but recommended) Create a dedicated Chrome profile for BAM.
- In Chrome, open the People menu and choose Add Person.
- Alternatively, click the Chrome profile icon at the top right. From the drop-down menu, choose Manage People and click Add Person.
- An isolated Chrome profile ensures that no other extension will interfere with BAM or pose a threat to the security of API trading.
- Install Bitwise Account Manager from Chrome Web Store.
For those who want to audit or tinker with the source code, replace step 2 above with the following steps.
2-1. Clone the git repository from a terminal.
git clone https://github.com/bitwisecc/bam
2-2. In Chrome, open
chrome://extensions/ and turn on Developer mode.
2-3. Click Load unpacked and open the local BAM directory.
2-4. (Optional) Edit the source code if you like and reload the extension. Do not load both your cloned repository and the published extension at the same time.
How BAM works
The diagram above depicts how data flows between system components.
On any *.bitwise.cc webpage, BAM can be activated by its icon in Chrome. In the pop-up window, you may add, rename, or delete API keys (see ① in the diagram).
As Chrome isolates BAM's window and storage space from all websites and other extensions, sensitive API data do not leak. For added security, BAM derives an AES key from a user-supplied password and encrypts account data on disk (②).
When (and only when) you visit a page on *.bitwise.cc (e.g. Bitwise Terminal), BAM injects its extension ID and version number into the host page so that the two sides can communicate with each other (③).
Once a message channel is established, the host page gets a read-only view of the account list (names and API identifiers) but not any API secrets (④), without which no valid request signatures can be forged.
When you issue a command (e.g. submitting a limit order) in Bitwise Terminal (⑤), the host page delegates the API request to BAM (⑥) as Bitwise Terminal itself is incapable of signing the request to make it valid.
Having signed the API request, BAM submits it directly to BitMEX (⑦). Upon receiving a server response from BitMEX (⑧), BAM forwards it to Bitwise Terminal (⑨) to complete the execution of your command.
During the whole session, API secrets never leave the realm of BAM.
Since BAM 2.0.0, authenticated WebSocket request can also be signed by the extension. As WebSocket requests are not bound by browser's CORS policy, they are not relayed by BAM.
Create a pair of API key and secret at https://www.bitmex.com/app/apiKeys (or https://testnet.bitmex.com/app/apiKeys if you're using testnet). The default key permission grants read-only access to API keys. Change it to "Order" if you plan to run trading commands on Bitwise Terminal. Leave the Withdraw option unchecked.
Switch to Bitwise Terminal.
Click the BAM icon to open the pop-up window.
bitmex (default) or
Give the new account a name without whitespaces.
Paste in the API key and secret and click
Note that when you switch between browser tabs, Chrome would close an extension's pop-up window. You'll need to click the BAM icon again to bring it back.
Renaming an account
Click the account name in the list to rename it.
Deleting an account
[x] button next to an account to delete it.
Encryption is optional but recommended for enhanced security.
In BAM's pop-up, click
Type a password twice and click
When BAM starts next time or you click
you'll be prompted for the password to unlock data.
If you forget the password, there's no way to recover it. You'll have to reinstall BAM and re-populate API accounts.
To make a data backup, click
It's recommended that you encrypt the data first.
To restore from a backup, click
Paste in the encoded data.
If encrypted, also enter the password.
[OK] to confirm.
Be cautious that this will overwrite your current account data.
License and code contribution
BAM's full source code is released under the very permissive MIT license.
For better security and performance, this extension has no external dependencies.
Bug reports or fixes are always welcome on Github. However, please refrain from sending pull requests with substantial changes or new dependencies unless they are security enhancements. We'd like to keep the repository lean to facilitate code auditing and modding.